New opt-in support to only use strong SSL ciphers and MACs.

The new configuration variable is $sshd_hardened_ssl.
Settings were stolen from https://github.com/ioerror/duraconf.git.

diff --git a/README b/README
index fa4214d2e6debff5947d1cb5dbbeba7b5d389c30..9cf253f04b7eb1d5a796dfa160c5c102d37f266f 100644 (file)
--- a/README
+++ b/README
@@ -170,6 +170,10 @@ The following is a list of the currently available variables:
     (e.g. /etc/ssh/authorized_keys/%u). Default: AuthorizedKeysFile
     %h/.ssh/authorized_keys
 
+ $sshd_hardened_ssl
+    Use only strong SSL ciphers and MAC.
+    Values: no or yes; Default: no.
+
  $sshd_sftp_subsystem
     Set a different sftp-subystem than the default one. Might be interesting for
     sftponly usage. Default: empty -> no change of the default

diff --git a/manifests/init.pp b/manifests/init.pp
index 991fbbaf48e6b437df937fef552cd4b0c7eb811d..cc5f10ee25ed5b99490dce0103afa5bb833a16f3 100644 (file)
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -77,6 +77,9 @@ class sshd {
   case $sshd_authorized_keys_file {
     '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" }
   }
+  case $sshd_hardened_ssl {
+    '': { $sshd_hardened_ssl = 'no' }
+  }
   case $sshd_sftp_subsystem {
     '': { $sshd_sftp_subsystem = '' }
   }

diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb
index 544effe09fadcc8f51babc1d0a8aafce8a9cabf7..859759a9e77507b4fe46bc4ee7cf3077b455d823 100644 (file)
--- a/templates/sshd_config/CentOS.erb
+++ b/templates/sshd_config/CentOS.erb
@@ -204,6 +204,11 @@ AllowUsers <%= sshd_allowed_users %>
 AllowGroups <%= sshd_allowed_groups %>
 <%- end -%>
 
+<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
+Ciphers aes256-ctr
+MACs hmac-sha1
+<%- end -%>
+
 <%- unless sshd_tail_additional_options.to_s.empty? then %>
 <%= sshd_tail_additional_options %>
 <%- end %>

diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb
index c90a5fefe0ed87fc0489ca016771e7aea0b7a327..23559fcb62e1f68abddf9d1546e65970c653a7dd 100644 (file)
--- a/templates/sshd_config/Debian_etch.erb
+++ b/templates/sshd_config/Debian_etch.erb
@@ -172,6 +172,11 @@ AllowGroups <%= sshd_allowed_groups %>
 
 PrintMotd no
 
+<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
+Ciphers aes256-ctr
+MACs hmac-sha1
+<%- end -%>
+
 <%- unless sshd_tail_additional_options.to_s.empty? then %>
 <%= sshd_tail_additional_options %>
 <%- end %>

diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb
index 14e32bf8b519bcb24aa9ebf5d51b6fa966137bb0..65befdcad1859fb12af9a8ca69a9d55bc7bcfcd2 100644 (file)
--- a/templates/sshd_config/Debian_lenny.erb
+++ b/templates/sshd_config/Debian_lenny.erb
@@ -181,6 +181,11 @@ AllowGroups <%= sshd_allowed_groups %>
 
 PrintMotd no
 
+<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
+Ciphers aes256-ctr
+MACs hmac-sha1
+<%- end -%>
+
 <%- unless sshd_tail_additional_options.to_s.empty? then %>
 <%= sshd_tail_additional_options %>
 <%- end %>

diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb
index 6dc93336ad530f1a8a5d5e9eb4ccbef3471eae7d..0213342e2426f7073b4cc2360822c8dc58c3512a 100644 (file)
--- a/templates/sshd_config/Debian_sid.erb
+++ b/templates/sshd_config/Debian_sid.erb
@@ -197,6 +197,11 @@ AllowUsers <%= sshd_allowed_users -%>
 AllowGroups <%= sshd_allowed_groups %>
 <%- end %>
 
+<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
+Ciphers aes256-ctr
+MACs hmac-sha1
+<%- end -%>
+
 <%- unless sshd_tail_additional_options.to_s.empty? then %>
 <%= sshd_tail_additional_options %>
 <%- end %>

diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb
index cf50ddbebf0460b8e7aabf46b643839d51043a50..dfebcc3777c4565c14495e55f2754d299c8a50f6 100644 (file)
--- a/templates/sshd_config/Debian_squeeze.erb
+++ b/templates/sshd_config/Debian_squeeze.erb
@@ -197,6 +197,11 @@ AllowUsers <%= sshd_allowed_users -%>
 AllowGroups <%= sshd_allowed_groups %>
 <%- end %>
 
+<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
+Ciphers aes256-ctr
+MACs hmac-sha1
+<%- end -%>
+
 <%- unless sshd_tail_additional_options.to_s.empty? then %>
 <%= sshd_tail_additional_options %>
 <%- end %>

diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb
index 768d3f5dd77341187a6ee9fb6f32707976260458..f9f5b237dae540f5a5a24166cfc7e70474a8b3a6 100644 (file)
--- a/templates/sshd_config/Gentoo.erb
+++ b/templates/sshd_config/Gentoo.erb
@@ -208,6 +208,10 @@ AllowUsers <%= sshd_allowed_users %>
 AllowGroups <%= sshd_allowed_groups %>
 <%- end %>
 
+<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
+Ciphers aes256-ctr
+MACs hmac-sha1
+<%- end -%>
 
 <%- unless sshd_tail_additional_options.to_s.empty? then %>
 <%= sshd_tail_additional_options %>

diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb
index 51662d3ebdcc59e83ff31b36a25c1d7d9a49d3c0..7a20cd9c7f9e580c7b47c12a19c916187b7cb7b7 100644 (file)
--- a/templates/sshd_config/OpenBSD.erb
+++ b/templates/sshd_config/OpenBSD.erb
@@ -184,6 +184,11 @@ AllowGroups <%= sshd_allowed_groups %>
 #      AllowTcpForwarding no
 #      ForceCommand cvs server
 
+<%- if sshd_hardened_ssl.to_s == 'yes' then -%>
+Ciphers aes256-ctr
+MACs hmac-sha1
+<%- end -%>
+
 <%- unless sshd_tail_additional_options.to_s.empty? then %>
 <%= sshd_tail_additional_options %>
 <%- end %>